RSA Could Pay Dearly for $10M NSA Gig

"I was scheduled to deliver a talk at and participate in an FTC panel at the RSA Conference USA 2014," wrote security guru Mikko Hypponen in a Wednesday update. "Initially I only canceled my talk, as I didn't want to punish the FTC which had nothing to do with the events I was protesting about. ... I don't want to send mixed messages, so I have canceled all my appearances at RSA 2014."

By Richard Adhikari
01/08/14 2:23 PM PT

At least eight security experts who had signed up for the
RSA 2014 security conference to be held Feb. 24-28 in San Francisco have publicly pulled out.

The departures are part of the backlash within the cybersecurity community against the RSA reportedly accepting US$10 million from the U.S. National Security Agency in exchange for embedding a flawed random number generator it provided into one of RSA's Bsafe security products.

"This is simply a group of people expressing their disapproval for the way that RSA has handled [the issue]," Taia Global's Carr told TechNewsWorld.

RSA "is the real target, [and] there should be a boycott of all RSA products," Carr continued.

The Fighting Finn

Hypponen's Dec. 23 withdrawal was perhaps the most prominent: In a highly publicized
open letter to RSA Executive Chairman Art Coviello and Joseph Tucci, chairman and CEO of RSA's parent company EMC, he canceled his scheduled speech.

He was also scheduled to participate in a United States Federal Trade Commission panel at the conference.

Hypponen on Wednesday updated his letter to say he was canceling all appearances at RSA 2014 and that F-Secure would not speak, sponsor or exhibit at the conference.

Cognitive Dissonance?

"RSA's behavior in light of the allegations has driven a wedge into the industry," said Tim Erlin, director of IT security and risk strategy for
Tripwire.

"In spite of the vocal protests and disagreements about RSA's response to government pressure, there's also an undercurrent of quiet support for the business decision that RSA made," he told TechNewsWorld.

However, the company is the villain, according to
Carr's deconstruction of RSA's statements on the NSA contract.

"If the company is presented with a National Security letter or other legal document which mandates their assistance, then clearly they have no choice," he remarked. "That wasn't the case with RSA. The problem is entirely of RSA's making."

The NSA "was merely continuing its long-term mission to find a way to break encryption for national security reasons," Carr continued.

"The cover-up, denial and obfuscation are the real problems," Erlin said. "There's always a choice in any situation, but there are also consequences of that choice."

Judge Not...

Though there appears to be a line drawn in the sand, some are still reserving judgment on the issue.

"I want to see more statements from RSA about the allegations," said Chris Jay Hoofnagle, director of information privacy programs at the
Berkeley Center for Law & Technology. Scheduled to speak at the conference, he had not decided whether to pull out as of Wednesday.

"Fundamentally, it does not make sense to me that RSA would agree to the scheme for only $10 million," Hoofnagle told TechNewsWorld. "It simply is not an economical decision, and the corrosive effect of the alleged decision could cause RSA to become our generation's CryptoAG."

CryptoAG , which makes encryption machines and cypher devices,
has been accused of working with intelligence agencies -- including the NSA -- to rig its devices for their use.

Will the RSA Conference Survive?

The impact of the refusal of security experts to participate in RSA 2014 has yet to be calculated.

"If enough speakers decide to decline the opportunity to speak, it will certainly affect the quality of the 2014 conference, as well as the ability of conference organizers to obtain high-profile speakers for 2015," Tripwire's Erlin remarked.

"What we've seen so far really amounts to a first wave of protest, and it certainly has spurred discussion, including dissenting views," he continued.

However, "unless there's a truly unimaginable domino effect on the remaining speakers, it's unlikely to affect the attendance numbers this year."